Re: [Openvpn-devel] [PATCH v4] Improve "recursive routing" warning message

On 26/03/2021 01:09, tincanteksup wrote: Hi, On 25/03/2021 23:26, Antonio Quartulli wrote: Hi, On 30/10/2018 13:53, Lev Stipakov wrote: From: Lev Stipakov + +    msg(D_LOW, "Recursive routing detected, drop packet %s. Fix your routing or consider using --allow-recursive-ro

Re: [Openvpn-devel] [PATCH v4] Improve "recursive routing" warning message

Hi, On 25/03/2021 23:26, Antonio Quartulli wrote: Hi, On 30/10/2018 13:53, Lev Stipakov wrote: From: Lev Stipakov + +msg(D_LOW, "Recursive routing detected, drop packet %s. Fix your routing or consider using --allow-recursive-routing option.", BSTR(&addrs_buf)); I would add "if yo

Re: [Openvpn-devel] [PATCH] Always disable SSL renegotiations

Hi, On 25/03/2021 23:15, Antonio Quartulli wrote: Hi, On 25/03/2021 18:44, Arne Schwabe wrote: These have been troublesome in the past and also today's CVE-2021-3449 DOS is only exploitable if renegotiation is enabled. Signed-off-by: Arne Schwabe What is the practical effect of this change

Re: [Openvpn-devel] [PATCH 1/2] Deprecate non TLS mode in OpenVPN

Hi, On 25/03/2021 07:59, Antonio Quartulli wrote: Hi, On 25/03/2021 08:49, Antonio Quartulli wrote: That change (that was *Actually* made in 2.4) was exactly to remove this ambiguity. Forgive my hasty reply. This combination of option is actually not-supported since 2.5 (in 2.4 we probably o

Re: [Openvpn-devel] [PATCH 1/2] Deprecate non TLS mode in OpenVPN

I made this change to the wiki: https://community.openvpn.net/openvpn/wiki/DeprecatedOptions?action=diff&version=45 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Implement '--compress migrate' to migrate to non-compression setup

I found a typo, so I double checked every comment. On 24/03/2021 22:08, Arne Schwabe wrote: diff --git a/src/openvpn/ssl_util.h b/src/openvpn/ssl_util.h index 741a7782..472aa591 100644 --- a/src/openvpn/ssl_util.h +++ b/src/openvpn/ssl_util.h @@ -54,4 +54,19 @@ extract_var_peer_info(const cha

Re: [Openvpn-devel] [PATCH applied] Re: Do not print Diffy Hellman parameters file to log file

How embarrassing .. On 18/03/2021 07:12, Gert Doering wrote: Your patch has been applied to the master and release/2.5 branch. I've corrected the spelling of "Diffy" to "Diffie", according to https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange I have not tested this further than "it

[Openvpn-devel] Indicate correct PUSH status in log

Hi, This: 2021-03-16 23:11:15 us=420944 w-c01/10.10.201.226:53237 SENT CONTROL [w-c01]: 'P USH_REPLY,comp-lzo no,explicit-exit-notify 2,route 10.33.70.1,topology net30,pin g 10,ping-restart 60,ifconfig 10.33.70.6 10.33.70.5,peer-id 0,cipher AES-256-GCM ' (status=1) 2021-03-16 23:11:15 us=453

Re: [Openvpn-devel] [PATCH] Require at least 20MB of mlock()-able memory if --mlock is used.

On 09/03/2021 20:53, David Sommerseth wrote: On 09/03/2021 21:04, tincanteksup wrote: > I have swapping issues all the time and I can't add more RAM. I don't want system wide disk encryption. And I don't want an SSD either. I do not have the money to keep up with modern

Re: [Openvpn-devel] [PATCH] Require at least 20MB of mlock()-able memory if --mlock is used.

On 09/03/2021 18:52, David Sommerseth wrote: On 08/03/2021 14:45, tincanteksup wrote: On 08/03/2021 08:06, Arne Schwabe wrote: Looking at this feature  from today's perspective, it feels like one of OpenVPN's boutique features. Was probably useful at some point but doesn

Re: [Openvpn-devel] [PATCH] Require at least 20MB of mlock()-able memory if --mlock is used.

On 08/03/2021 08:06, Arne Schwabe wrote: Looking at this feature from today's perspective, it feels like one of OpenVPN's boutique features. Was probably useful at some point but doesn't really make much sense today anymore. Esepcially with what is written in the manpage. Today you rather wo

Re: [Openvpn-devel] [PATCH] Require at least 20MB of mlock()-able memory if --mlock is used.

On 07/03/2021 19:20, Selva Nair wrote: Rereading my comment on Trac #1059 I recall testing this and concluding 100MB enough for clients. On modern machines that's a low amount of memory --- not allowing swapout of 100MB should be acceptable. For servers, I think there is no reliable limit th

Re: [Openvpn-devel] [vbox-dev] Oracle VirtualBox v6.1.19 Test Build 142917 - Not working on Windows 10 Insider Dev builds

Copying to openvpn I'm not sure if this will effect you, just something to look into.. The ticket is: https://www.virtualbox.org/ticket/20226 On 02/03/2021 15:50, Klaus Espenlaub wrote: well, the mystery has been resolved (see the ticket). Thanks fth0 for looking closer than Microsoft's signat

Re: [Openvpn-devel] TLS Crypt v2 metadata name from openvpn

Hi, minor follow up. This is not exactly a bug because it does work fine. However, this is the 'metadata_file' name as presented to Windows: metadata_file=C:\Users\IEUser\AppData\Local\Temp\\openvpn_tls_crypt_v2_metadata__3a06867f5bcca86b.tmp Note: Temp\\openvpn_ R _

Re: [Openvpn-devel] [Openvpn-devel/users] Debugging Windows based server scripts

On 18/02/2021 19:13, Selva Nair wrote: Hi, On Wed, Feb 17, 2021 at 5:38 PM tincanteksup wrote: Hi, due to not being allowed to have scripts "echo data" to the log file under Windows, debugging scripts is next to impossible. I presume there are no compile time options to en

[Openvpn-devel] [Openvpn-devel/users] Debugging Windows based server scripts

Hi, due to not being allowed to have scripts "echo data" to the log file under Windows, debugging scripts is next to impossible. I presume there are no compile time options to enable "echo" under Windows ? Could anybody provide me with a patch to enable "echo" just for the purpose of debuggi

[Openvpn-devel] [openvpn-devel] public man page

hi, i know it is hard to do but it has been done before ... https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage ... Please make the 2.5 manual page. ___ Openvpn-devel mailing

[Openvpn-devel] [openvpn-devel] Wiki Howto URL

Hi, in the Howto there was this URL: https://community.openvpn.net/openvpn/wiki/HOWTO#ExpandingthescopeoftheVPNtoincludeadditionalmachinesoneithertheclientorserversubnet. Note: There is a fullstop on the end. I changed this URL to: https://community.openvpn.net/openvpn/wiki/HOWTO#Expandingthesc

Re: [Openvpn-devel] [PATCH] Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL

feed back: On 22/01/2021 07:02, Arne Schwabe wrote: Am 21.01.21 um 14:39 schrieb Gert Doering: Without this patch, if openpn is using a plugin that provides OPENVPN_PLUGIN_ENABLE_PF but then fails (returns OPENVPN_PLUGIN_FUNC_ERROR), OpenVPN will crash on a NULL pointer reference. The underlyi

Re: [Openvpn-devel] Summary of the community meeting (20th January 2021)

FYI, Full chatlog NOT attached On 20/01/2021 11:34, Samuli Seppänen wrote: Hi, Here's the summary of the IRC meeting. --- COMMUNITY MEETING Place: #openvpn-meeting on irc.freenode.net Date: Wed 20th January 2021 Time: 11:30 CET (10:30 UTC) Planned meeting topics for this meeting were here:

Re: [Openvpn-devel] Man sections: typo (No patch)

Patchworks did not pick this up the way I expected. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] Man sections: typo (No patch)

Just FTR. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 5dd20013..28cf6f1e 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -422,13 +422,13 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa :code:

Re: [Openvpn-devel] [PATCH] Clarify --block-ipv6 intent and direction.

On 25/12/2020 16:42, Gert Doering wrote: --block-ipv6 is a fairly special-purpose option, and only blocks packet in the client->server option. This is implied by not ever mentioning the other direction in the existing documentation, but not written down. Make this explicit, avoid confusion.

Re: [Openvpn-devel] Travis-ci is changing billing

On 23/12/2020 18:03, Илья Шипицин wrote: On Wed, Dec 23, 2020, 10:42 PM Gert Doering wrote: Hi, On Wed, Dec 23, 2020 at 04:06:26PM +, tincanteksup wrote: This may help shed some light: https://blog.travis-ci.com/2020-11-02-travis-ci-new-billing I'm more confused than before.

Re: [Openvpn-devel] Travis-ci is changing billing

This may help shed some light: https://blog.travis-ci.com/2020-11-02-travis-ci-new-billing On 23/12/2020 05:44, Илья Шипицин wrote: https://news.ycombinator.com/item?id=25338983 Actually, not many choices, either to drop Travis or to pay for it. Ilya

Re: [Openvpn-devel] wanted: mechanism to send text messages to client

Gert, using server side scripting, I can push *literally* anything I want to the server via --push-peer-info and setenv UV_* Example: setenv UV_PING 10 setenv UV_PINGRESTART 60 My server side script allows the client to effectively configure --keepalive (and a LOT more) My guess would be t

Re: [Openvpn-devel] Community meetings in December 2020

Please discuss and resolve the fate of the OpenVPN-Legacy-Service for Windows. Ref: https://community.openvpn.net/openvpn/ticket/1344 Official status of deprecation/removal requested. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.ne

[Openvpn-devel] Man sections: typo (No patch)

Sorry for lack of patch. diff --git a/doc/man-sections/renegotiation.rst b/doc/man-sections/renegotiation.rst index b817cfa8..c5484404 100644 --- a/doc/man-sections/renegotiation.rst +++ b/doc/man-sections/renegotiation.rst @@ -35,7 +35,7 @@ separate ephemeral encryption key which is rotated at

Re: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode without CA

On 09/09/2020 11:21, Arne Schwabe wrote: Am 09.09.20 um 10:04 schrieb François Kooman: On 9/8/20 6:38 PM, Arne Schwabe wrote: I really wonder which large deployment want to do that instead of a CA. I really understand the need for small and simple deployments. But for larger deployments a CA

Re: [Openvpn-devel] New man-section pages format

On 04/09/2020 14:36, David Sommerseth wrote: On 04/09/2020 15:21, tincanteksup wrote: Hi, this is just something to chew-over.. See: https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/generic-options.rst I noticed that generally the option names, eg: --auth-nocache, wrap and

[Openvpn-devel] New man-section pages format

Hi, this is just something to chew-over.. See: https://github.com/OpenVPN/openvpn/blob/master/doc/man-sections/generic-options.rst I noticed that generally the option names, eg: --auth-nocache, wrap and the result is unpleasant. However, further down that same page --daemon progname does n

Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

Hi, sorry to interrupt, Rafael could you please confirm if you find this document to be correct/incorrect for your use case: https://community.openvpn.net/openvpn/wiki/CipherNegotiation Also note, this patch has been merged so make sure your binary has been compiled with it. On 29/08/2020

Re: [Openvpn-devel] [PATCH v4 2/2] Implement generating data channel keys via EKM/RFC 5705

This sentence is badly constructed, so, use some grammar to help it read correctly: On 25/08/2020 08:36, Arne Schwabe wrote: + * When the client sends the IV_PROTO_TLS_KEY_EXPORT flag and the server replies + * with `key-derivation tls-ekm` the RFC5705 key material exporter with the + * labe

Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

On 14/08/2020 19:50, tincanteksup wrote: Hi, I tested this patch and it does make --data-ciphers and --data-ciphers-fallback behave in their intended "fashion". Unfortunately, the commit message is grammatically incorrect and also logically misleading. The intended fashion is for -

Re: [Openvpn-devel] 2.5-beta-1 Windows installer problems

ot;other" user because they are already there and so the installer does not erroneously try to install the drivers again when the user changes. That is my best guess. I don't think anybody needs to respond to this thread any further. Regards Richard On 16/08/2020 14:05, tincan

Re: [Openvpn-devel] 2.5-beta-1 Windows installer problems

. Win7 install seems to have the same issues of who is allowed to install openvpn but does a bad job of it, no admin password prompt. I know this is a beta so I'm not complaining, only offering feedback Regards On 15/08/2020 19:31, tincanteksup wrote: Comment inline: On 15/08/2020

Re: [Openvpn-devel] 2.5-beta-1 Windows installer problems

Comment inline: On 15/08/2020 19:29, tincanteksup wrote: Hi, I would like to document the very strange issues I had testing the 2.5 MSI installers. The first test was on a Win7-Ent/32bit VM with 32bit installer.  The second test was a real PC with Win7-HomePro/64bit (yeah, user did not

[Openvpn-devel] 2.5-beta-1 Windows installer problems

Hi, I would like to document the very strange issues I had testing the 2.5 MSI installers. The first test was on a Win7-Ent/32bit VM with 32bit installer. The second test was a real PC with Win7-HomePro/64bit (yeah, user did not want w10) 64bit installer. The third test was Win10/64bit VM 6

Re: [Openvpn-devel] [PATCH] Fix client's poor man NCP fallback

Hi, I tested this patch and it does make --data-ciphers and --data-ciphers-fallback behave in their intended "fashion". Unfortunately, the commit message is grammatically incorrect and also logically misleading. The intended fashion is for --data-ciphers to recognise that the correct ciphe

Re: [Openvpn-devel] [PATCH v2 3/3] Implement generating data channel keys via EKM/RFC 5705

typos/grammar On 12/08/2020 15:01, Arne Schwabe wrote: OpenVPN currently uses its own (based on TLS 1.0) key derivation mechansim to generate the 256 bytes key data in key2 struct that mechansim -> mechanism are then used used to generate encryption/hmac/iv vectors. While this mechanism is

Re: [Openvpn-devel] [PATCH v2 1/3] Refactor key_state_export_keying_material functions

typo On 12/08/2020 15:01, Arne Schwabe wrote: This refactors the common code between mbed SSL and OpenSSL into export_user_keying_material and also prepares the backend functions to export more than one key. Also fix checking the return value of SSL_export_keying_material only 1 is a sucess, -1

Re: [Openvpn-devel] [PATCH v3 2/2] Document different behaviour of dynamic cipher negotiation

spelling/grammar and some questions ... On 09/08/2020 15:19, Arne Schwabe wrote: This adds a section in the man page that details the various behaviour of older client/servers when using OpenVPN 2.5. Signed-off-by: Arne Schwabe --- Changes.rst | 23 +++ doc/

Re: [Openvpn-devel] [PATCH v3 1/2] Rework NCP compability logic and drop BF-CBC support by default

spelling/grammar Couple of typos and some suggested grammar improvements. On 09/08/2020 15:19, Arne Schwabe wrote: This reworks the NCP logic to be more strict about what is considered an acceptable result of an NCP negotiation. It also us to finally drop BF-CBC support by default. It is also

Re: [Openvpn-devel] [PATCH v2] Rework NCP compability logic and drop BF-CBC support by default

On 05/08/2020 21:25, Steffan Karger wrote: Hi, No full review yet, but this version does seem to address my previous comments. Some minor nits I noticed on my first run through v2: On 29-07-2020 13:38, Arne Schwabe wrote: This reworks the NCP logic to be more strict about what is considered

Re: [Openvpn-devel] [PATCH 9/9] Rework NCP compability logic and drop BF-CBC support by default

10x more wee pointers On 28/07/2020 13:27, Steffan Karger wrote: Hi, This is awesome in many ways. Better behaviour, better code and a nice way forward to really get rid of the BF-CBC default cipher. It's also somewhat tricky, so here goes for a review purely based on stare-at-code: On 17-07-

Re: [Openvpn-devel] [PATCH 2/2] Avoid sending push request after receving push reply

a little help.. On 26/07/2020 00:48, Arne Schwabe wrote: The introduction of IV_PROTO_REQUEST_PUSH (c290df55) sometimes causes the server to reply before we setup the push timer. The push reply will then clear a timer that has not been setup yet. We then start sending push request after we have

Re: [Openvpn-devel] [PATCH] Refuse PUSH_REQUEST as client/refactor process_incoming_push_request

Sanity check: On 26/07/2020 00:51, Arne Schwabe wrote: When a server sends a client a push request, the client will reply with a push reply. The reply is bogus and almost empty since almost all the options that are normally set (remote ip etc) are unset. I checked 2.4 and master and this does n

Re: [Openvpn-devel] Regarding deprecation of --route-nopull

Hi, thanks for the list! On 24/07/2020 11:00, Arne Schwabe wrote: To emulate pull-filter with pull-filter you need to block this list: redirect-private redirect-gateway block-ipv6 client-nat route route-ipv6 route-gateway route-metric ip-win32 dhcp-option dhcp-renew register-dns tap-sleep bloc

Re: [Openvpn-devel] [PATCH 1/3] Refactor/Reformat tls_pre_decrypt

3x minor typos On 22/07/2020 10:30, Arne Schwabe wrote: - Extract data packet handling to its own function - Replace two instances of if (x) { code } with if (!x) return; code - Remove extra curly braces that were used for pre C99 code style to be able to declare var

Re: [Openvpn-devel] [PATCH v6 4/9] Implement tls-groups option to specify eliptic curves/groups

8x fix - 2x suggestion On 21/07/2020 16:49, Arne Schwabe wrote: By default OpenSSL 1.1+ only allows signatures and ecdh/ecdhx from the default list of X25519:secp256r1:X448:secp521r1:secp384r1. In TLS1.3 key exchange is independent from the signature/key of the certificates, so allowing all grou

Re: [Openvpn-devel] [PATCH 1/9 v3] Indicate that a client is in pull mode in IV_PROTO

, incoperate spelling fixes by tincanteksup. incoperate -> incorporate =] Please feel free use my full details: Richard Bonhomme Signed-off-by: Arne Schwabe --- doc/man-sections/server-options.rst | 10 -- src/openvpn/multi.c | 12 ++-- src/open

Re: [Openvpn-devel] [PATCH v3 5/9] Remove key-method 1

1x typo On 21/07/2020 11:01, Arne Schwabe wrote: Key-method 1 is only needed to talk to pre OpenVPN 2.0 clients. Patch V2: Fix style. Make V1 op codes illegal, remove all code handling v1 op codes and give a good warning message if we encounter them in the legal op codes p

Re: [Openvpn-devel] [PATCH v7] client-connect: Add documentation for the deferred client connect feature

1x typo, 3x suggestions On 20/07/2020 15:27, Arne Schwabe wrote: Signed-off-by: David Sommerseth Signed-off-by: Arne Schwabe Patch V5: Fix typos, clarify man page section about deferred client-connect script. Add section to Changes.rst Patch V6: Convert manpage to rst

Re: [Openvpn-devel] [PATCH v2 1/9] Indicate that a client is in pull mode in IV_PROTO

Hi, On 20/07/2020 10:17, Arne Schwabe wrote: This allows us to skip waiting for the first PUSH_REQUEST message from the client to send the response. This changes the interpretation of IV_PROTO from a scalar to a bitfield Since we only have IV_PROTO=2 defined so far and will support DATA_V2 this

Re: [Openvpn-devel] [PATCH v8 2/5] client-connect: Add deferred support to the client-connect script handler

4x typo On 19/07/2020 18:34, Arne Schwabe wrote: From: Fabian Knittel This patch introduces the concept of a return value file for the client-connect handlers. (This is very similar to the auth value file used during deferred authentication.) The file name is stored in the client_connect_stat

Re: [Openvpn-devel] [PATCH 12/16] doc/man: Misc grammar and typo fixes

Hi, I recognise all these changes as my own. Even so, I do not understand why these two variant are present: EG: + entry is tried. Specifying ``n`` as :code:`1` would try See --connect-retry-max here: https://gitlab.com/dazo/openvpn/-/blob/dev/man-reformatting/doc/man-sections/client-opt

Re: [Openvpn-devel] [PATCH v6 8/14] client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect

typo On 15/07/2020 15:16, Arne Schwabe wrote: This patch moves the state, that was previously tracked within the multi_connection_established() function, into struct client_connect_state. The multi_connection_established() function can now be exited and re-entered as many times as necessary - w

Re: [Openvpn-devel] [PATCH v5 14/14] client-connect: Add documentation for the deferred client connect feature

Because this is documentation I have been a little harder on grammar. These are only suggestions to improve readability. On 11/07/2020 10:36, Arne Schwabe wrote: Patch V5: Fix typos, clarify man page section about deferred client-connect script. Add section to Changes.rst Signed-off

Re: [Openvpn-devel] [PATCH v5 12/14] client-connect: Add deferred support to the client-connect plugin v1 handler

2x gram On 11/07/2020 10:36, Arne Schwabe wrote: From: Fabian Knittel Uses the infrastructure provided and used in the previous patch to provide deferral support to the v1 client-connect plugin handler as well. Signed-off-by: Fabian Knittel PATCH V3: Modify the API to also (optionally) call

Re: [Openvpn-devel] [PATCH v5 10/14] client-connect: Move adding inotify watch into its own function

On 11/07/2020 10:36, Arne Schwabe wrote: This make the code a bit better readable and also prepares resuing resuing -> reusing (Don't ask me why this is not re-using, which is how I would probably spell it and my teacher would laugh at me) Grammar: This make the code more readable the

Re: [Openvpn-devel] [PATCH v5 09/14] client-connect: Add deferred support to the client-connect script handler

5x typo 2x gram On 11/07/2020 10:36, Arne Schwabe wrote: From: Fabian Knittel This patch introduces the concept of a return value file for the client-connect handlers. (This is very similar to the auth value file used during deferred authentication.) The file name is stored in the client_conn

Re: [Openvpn-devel] [PATCH v5 08/14] client-connect: Add CC_RET_DEFERRED and cope with deferred client-connect

1x typo + 1x gram (in comments) On 11/07/2020 10:36, Arne Schwabe wrote: From: Fabian Knittel This patch moves the state, that was previously tracked within the multi_connection_established() function, into struct client_connect_state. The multi_connection_established() function can now be ex

Re: [Openvpn-devel] [PATCH v5 03/14] client-connect: Refactor multi_client_connect_source_ccd

1x grammar On 11/07/2020 10:36, Arne Schwabe wrote: From: Fabian Knittel Refactor multi_client_connect_source_ccd(), so that options_server_import() (or the success path in general) is only entered in one place within the function. Signed-off-by: Fabian Knittel Patch V5: Simplify the logic

Re: [Openvpn-devel] [PATCH v5 02/14] client-connect: Split multi_connection_established into separate functions

spelling, 1x grammer: On 11/07/2020 10:36, Arne Schwabe wrote: From: Fabian Knittel This patch splits up the multi_connection_established() function. Each new helper function does a specific job. Functions that do a similar job receive a similar calling interface. The patch tries not to rei

Re: [Openvpn-devel] [PATCH v5 01/14] Allow changing fallback cipher from ccd files/client-connect

grammar: On 11/07/2020 10:36, Arne Schwabe wrote: This allows to control the fallback cipher that is used when the client/server do have any common cipher on a per client basis. client/server do not have any common cipher The patch is similar to Steffan's [PATCH v4] Allow changing cipher f

Re: [Openvpn-devel] [PATCH v5 07/14] client-connect: Change cas_context from int to enum

1x typo On 11/07/2020 10:36, Arne Schwabe wrote: This deviates from Fabian's original patch that relied on the now removed connection_established bool as pointer being NULL or non NULL as implicit third state and makeing connection_established as a substate of makeing -> making (cas_context

Re: [Openvpn-devel] [PATCH 5/8] Generate data channel keys after connect options have been parsed

possible white-space error ? On 09/07/2020 11:16, Arne Schwabe wrote: The simplify the control flow, it makes more sense to generate the data keys when all the prerequisites for generating the data channel keys (ncp cipher selection etc) are met instead of delaying it to the next incoming PUSH_R

Re: [Openvpn-devel] [PATCH 2/8] Make key_state->authenticated more state machine like

typo x3 On 09/07/2020 11:15, Arne Schwabe wrote: This order the states from unauthenticated to authenticated and also changes the comparison for KS_AUTH_FALSE from != to > It also add comments and documents part using the state machine better. Remove a now obsolete comment and two obsolete ifd

Re: [Openvpn-devel] [PATCH 4/8] Move protocol option negotiation from push_prepare to new function

typo On 09/07/2020 11:15, Arne Schwabe wrote: This clean ups the code and removes the surprising side effects of preparing a push reply to also select protocol options. We also remember if we have seen a push request without async push. This improves reaction time if deferred auth is involved l

Re: [Openvpn-devel] [PATCH 2/8] Make key_state->authenticated more state machine like

Typo On 09/07/2020 11:15, Arne Schwabe wrote: This order the states from unauthenticated to authenticated and also changes the comparison for KS_AUTH_FALSE from != to > It also add comments and documents part using the state machine better. Remove a now obsolete comment and two obsolete ifdefs

Re: [Openvpn-devel] [Patch] New man page corrections - windows-options.rst

BTW: This is only round 1 of spelling and grammar checking. I have had to really hold off from getting nasty with commas etc. I have tried to only fix the most obvious faux-pars ... ;-) On 02/07/2020 14:50, tincanteksup wrote: Hi Jonathan, these are going to the new manpage, see: https

Re: [Openvpn-devel] [Patch] New man page corrections - windows-options.rst

Hi Jonathan, these are going to the new manpage, see: https://gitlab.com/dazo/openvpn/-/tree/dev/man-reformatting They don't really need an ACK because dazo will review them first anyway but thanks all the same :) Regards On 02/07/2020 14:41, Jonathan K. Bullard wrote: Improves English dic

Re: [Openvpn-devel] [PATCH] New man page corrections - encryption-options.rst

Comment inline: On 26/06/2020 15:29, Richard Bonhomme wrote: Signed-off-by: Richard Bonhomme --- doc/man-sections/encryption-options.rst | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/doc/man-sections/encryption-options.rst b/doc/man-sections/encryption-options.

Re: [Openvpn-devel] [PATCH] Do not write extra 0 byte for --gen-key with auth-token/tls-crypt-v2

I have tested this fix all the way to ensuring that tls-cypt-v2.keys are created successfully and do allow successful VPN connection. I have not tested auth-tokens. Tested-by: Richard Bonhomme On 06/04/2020 14:00, Arne Schwabe wrote: crypto_pem_encode put a nul-terminated terminated string i

Re: [Openvpn-devel] Summary of the community meeting (16th January 2020)

Correction below. On 17/01/2020 12:28, tincanteksup wrote: The following information is also applicable to *Nix. In order to use the upgrade, simply copy your EasyRSA-2 PKI (Generally found in ./Keys directory under Easy-rsa directory) to Easyrsa3 directory and run: './easyrsa upgrad

Re: [Openvpn-devel] Summary of the community meeting (16th January 2020)

The following information is also applicable to *Nix. With regard to packaging EasyRSA-3 with Windows in the future. The reason EasyRSA-3 has not been the default package for Windows is due to EasyRSA-2 PKI not being suitable for use in EasyRSA-3, due to the layout. This issue now has a solut

Re: [Openvpn-devel] [PATCH v7 2/2] Add support for OpenSSL TLS 1.3 when using management-external-key

Tiny grammar concern: On 22/11/2019 14:33, Arne Schwabe wrote: For TLS 1.0 to 1.2 and OpenSSL 1.1.0 calls us and requires a PKCS1 padded response. As TLS 1.3 mandates RSA-PSS padding support and also requires an TLS 1.3 implementation to support RSA-PSS for older TLS version, OpenSSL will query

Re: [Openvpn-devel] [PATCH v2] Fix ACL_CHECK_ADD_COMPILE_FLAGS to work with clang

Typo below, On 19/11/2019 17:03, selva.n...@gmail.com wrote: From: Selva Nair Some compilers (e.g., clang) only issue a warning for unsupported options unless an additional flag such as -Werror is used to convert the warning to an error. The behaviour is unchanged when using gcc as it either

Re: [Openvpn-devel] [PATCH applied] Re: VLAN: add basic VLAN tagging support

Hi, On 07/11/2019 12:42, Lev Stipakov wrote: Hi, I'm a bit unhappy with that one, as it changes behaviour for all non-windows builds (including all the openssl build output even if it succeeds). The only place it changes behavior is this install: - if [ ! -z "${CHOST}" ]; then unset

Re: [Openvpn-devel] [PATCH v6] openvpnserv: enable interactive service to open tun

Looks like a typo below: On 23/07/2019 10:21, Lev Stipakov wrote: From: Lev Stipakov This patch enables interactive service to open tun device. This is mostly needed by Wintun, which could be opened only by privileged process. When interactive service is used, instead of calling CreateFile()

Re: [Openvpn-devel] [PATCH v4 2/7] Implement --genkey type keyfile syntax and migrate tls-crypt-v2

Unimportant non escaped dashes openvpn.8 & one typo On 13/06/2019 14:48, Arne Schwabe wrote: This unifies our key generation and also migrates the generation of the tls-crypt-v2 keys. Since tls-crypt-v2 is not included in any released version, we remove the the old syntax without compatibility.

Re: [Openvpn-devel] New OpenVPN 2.4.7 installers with tap-windows6 and other componets

Tested and working, 32bit Win7 install over a previous install. On 20/04/2019 10:16, Samuli Seppänen wrote: Hi all, Here are completely untested OpenVPN 2.4.7 installers which I wanted to get out for testing a.s.a.p.:

Re: [Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

Correcion >From: Selva Nair > >Make clear that --dhcp-option is not processed on >non-Windows clients This thread was _initially_ about pushing DNS to Linux clients. I mean "non-windows" clients. ___ Openvpn-devel mailing list Openvpn-devel@lis

Re: [Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

On 20/03/2019 18:12, tincanteksup wrote: bonjour On 20/03/2019 17:25, Selva Nair wrote: On Wed, Mar 20, 2019 at 10:52 AM tincanteksup wrote: On 20/03/2019 13:25, Selva Nair wrote: Hi, On Wed, Mar 20, 2019 at 4:02 AM Antonio Quartulli wrote: Hi, On 18/03/2019 22:30, tincanteksup

Re: [Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

bonjour On 20/03/2019 08:00, Antonio Quartulli wrote: Hi, On 18/03/2019 22:30, tincanteksup wrote: Hi, this situation has been hanging around for so long is this brief note really enough? Considering that the manual has numerous other URLs why not include this URL here: https

Re: [Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

bonjour On 20/03/2019 17:25, Selva Nair wrote: On Wed, Mar 20, 2019 at 10:52 AM tincanteksup wrote: On 20/03/2019 13:25, Selva Nair wrote: Hi, On Wed, Mar 20, 2019 at 4:02 AM Antonio Quartulli wrote: Hi, On 18/03/2019 22:30, tincanteksup wrote: Hi, this situation has been hanging

Re: [Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

On 20/03/2019 13:25, Selva Nair wrote: Hi, On Wed, Mar 20, 2019 at 4:02 AM Antonio Quartulli wrote: Hi, On 18/03/2019 22:30, tincanteksup wrote: Hi, this situation has been hanging around for so long is this brief note really enough? Considering that the manual has numerous other URLs

Re: [Openvpn-devel] [PATCH] Improve the documentation for --dhcp-option

Hi, this situation has been hanging around for so long is this brief note really enough? Considering that the manual has numerous other URLs why not include this URL here: https://community.openvpn.net/openvpn/wiki/Pushing-DNS-to-clients We already have this: https://community.openvpn.net/openvp

Re: [Openvpn-devel] [Help required] Testing MSI installations

On 02/01/2019 18:46, Gert Doering wrote: Hi, On Wed, Jan 02, 2019 at 04:37:33PM +, Simon Rozman wrote: Even though there are errors reported the VPN still works for both IPv4 and 6 with both versions of the binary. Probably a patch between 2.4.6 from 26/Apr/2018 and 2.4.6-m4 from 1/Jan

Re: [Openvpn-devel] [Help required] Testing MSI installations

Hi, On 02/01/2019 14:11, tincanteksup wrote: Successfully install 32bit from .exe However, there appears to be a problem .. https://paste.fedoraproject.org/paste/Ih2LYl0cR8YoKnI2lNwhcQ Part 1 is the client log *with* errors using the binary from your installer 2.4.6-m4 dated 1/Jan/2019

Re: [Openvpn-devel] [Help required] Testing MSI installations

Successfully install 32bit from .exe On 01/01/2019 23:34, Simon Rozman wrote: Hi, I have found and fixed the issue with the installer: all 32-bit MSI packages were affected - didn't notice it myself as all my testing machines turned out to be 64-bit :(. New version of the installer is availa

Re: [Openvpn-devel] Ubuntu 18.04 packages available for testing

Hi, On 30/12/2018 14:56, Samuli Seppänen wrote: Hi, Il 29/12/18 22:06, tincanteksup ha scritto:  debian/rules clean dh clean make: dh: Command not found Package "debhelper" is missing. When using Vagrant debhelper gets installed in the provisioning script: https://

Re: [Openvpn-devel] Ubuntu 18.04 packages available for testing

On 28/12/2018 14:21, tincanteksup wrote: Hi, On 27/12/2018 18:11, Samuli Seppänen wrote: >> Also, if you can, please review these PRs which enable anyone to build the Ubuntu/Debian packages, including ones for Ubuntu 18.04: https://github.com/OpenVPN/sbuild_wrapper/pull/1

Re: [Openvpn-devel] Ubuntu 18.04 packages available for testing

Hi, On 27/12/2018 18:11, Samuli Seppänen wrote: Hi, I've produced OpenVPN 2.4.6 packages for Ubuntu 18.04 and they're now available here: https://build.openvpn.net/downloads/temp/ The Debian packaging files are taken from Ubuntu's own 18.04 openvpn package. They already used our openvpn-clien

Re: [Openvpn-devel] [Help required] Testing MSI installations

On 20/12/2018 14:22, tincanteksup wrote: On 20/12/2018 14:00, tincanteksup wrote: On 20/12/2018 13:52, tincanteksup wrote: On 20/12/2018 13:46, tincanteksup wrote: Hi, On 19/12/2018 21:55, Simon Rozman wrote: Hi, Remember: Test it to fail! Any feedback kindly appreciated. I

Re: [Openvpn-devel] [Help required] Testing MSI installations

On 20/12/2018 14:00, tincanteksup wrote: On 20/12/2018 13:52, tincanteksup wrote: On 20/12/2018 13:46, tincanteksup wrote: Hi, On 19/12/2018 21:55, Simon Rozman wrote: Hi, Remember: Test it to fail! Any feedback kindly appreciated. I just tested this on a "fresh" Win7

Re: [Openvpn-devel] [Help required] Testing MSI installations

On 20/12/2018 13:52, tincanteksup wrote: On 20/12/2018 13:46, tincanteksup wrote: Hi, On 19/12/2018 21:55, Simon Rozman wrote: Hi, Remember: Test it to fail! Any feedback kindly appreciated. I just tested this on a "fresh" Win7 VM and it failed. By "fresh"

Re: [Openvpn-devel] [Help required] Testing MSI installations

On 20/12/2018 13:46, tincanteksup wrote: Hi, On 19/12/2018 21:55, Simon Rozman wrote: Hi, Remember: Test it to fail! Any feedback kindly appreciated. I just tested this on a "fresh" Win7 VM and it failed. By "fresh" I mean this:   The Win7

Re: [Openvpn-devel] [Help required] Testing MSI installations

Hi, On 19/12/2018 21:55, Simon Rozman wrote: Hi, Remember: Test it to fail! Any feedback kindly appreciated. I just tested this on a "fresh" Win7 VM and it failed. By "fresh" I mean this: The Win7 VM is from: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ Credit

Re: [Openvpn-devel] [PATCH] tls-crypt-v2: fix client reconnect bug

Tested this with Ubuntu client, patched applied & Arch server, current master and it worked correctly. Client did not crash when trying to "reconnect" to a server when the server had been changed from TLS Crypt V2 to V1. When the server was changed back to V2 the client connected successfully.

  1   2   >